Which? has uncovered concerning vulnerabilities in connected toys that could pose a child safety risk and is calling for retailers to stop selling toys with proven security issues.
Which? had concerns about a number of connected toys so, in collaboration with German consumer group Stiftung Warentet and other security research experts, has conducted a snapshot test into popular Bluetooth or Wi-Fi toys on sale at major retailers.
This has revealed concerning vulnerabilities in several devices that could enable a stranger to talk to a child.
The investigation found that someone could use a toy to communicate with a child in four out of the seven devices tested. It revealed worrying security failures with the Furby, I-Que Intelligent Robot, Toy-fi Teddy, and CloudPets cuddly toy.
In each of the toys the Bluetooth connection had not been secured, meaning during the tests our hacker didn’t need a password, PIN code or any other authentication to get access. In addition, very little technical know-how was needed to gain access to the toys to start sharing messages with a child.
Of the toys we discovered could be hacked:
- Furby Connect is available at Argos, Amazon, Smyths and Toys R Us and Toys R Us ranked this as a Christmas toy to have last year. Anyone within a 10-30 metre Bluetooth range can connect to the toy when it’s switched on, with no physical interaction required. This is because it does not use any security features when pairing. Plus, you can make the connection via a laptop, opening up more opportunities to control the toy. Our security experts were able to upload and play a custom audio file on the Furby.
- The I-Que Intelligent Robot, has previously featured on Hamleys top toys Christmas list and is available from Argos and Hamleys. This brightly coloured talking robot uses Bluetooth to pair with a phone or tablet through an app, but the connection is unsecured. Which?’s investigation discovered that anyone can download the app, find an i-Que within Bluetooth range and start chatting using the robot’s voice by typing into a text field. The toy is made by Genesis Toys, the same manufacturer as the Cayla doll which was recently banned in Germany due to security and hacking concerns.
- CloudPets, available from Amazon, comes as a stuffed animal and enables friends to send messages to a child, played back on a built-in speaker. Which? found someone could hack the toy via its unsecured Bluetooth connection and make it play their own voice messages.
- Toy-fi Teddy, available from Amazon, is a teddy that allows a child to send and receive personal recorded messages over Bluetooth via a smartphone or tablet app. However, Which? found the Bluetooth lacks any authentication protections, meaning our hackers could send their voice messages to a child and receive answers back.
Which? has now written to retailers to urge them to stop selling connected toys that have proven security issues.
Alex Neill, Which? Managing Director of Home Products and Services, said:
“Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution.
“Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”